Exploring The Gap Between Cybersecurity Perception And Reality

Most company executives and security professionals have a reasonable understanding of cybersecurity. Even if they don’t fully understand the mechanics under the hood, they at least realize that there is a vast and aggressive threat landscape out there, and that their networks are under virtually constant siege from attackers. When you ask how they feel about their security, though, and how confident they are in their ability to successfully detect and block attacks, the response shows a startling disconnect between reality and their perception.

Last month at the RSA Security Conference in San Francisco, I had an opportunity to attend a panel discussion hosted by Arctic Wolf Networks. We met at Marianne’s--an eclectic little semi-secret room at the back of The Cavalier restaurant. The room is apparently themed after the cover of the Rolling Stones’ Beggar’s Banquet album and named for British rock icon Marianne Faithful.

We were served coffee and orange juice and breakfast burritos, and then we sat and listened while a handful of security experts discussed this very issue in a panel discussion titled Cybersecurity Dissonance: Perception vs. Reality. The panel was comprised of David Monahan, Research Director at EMA Research, Dan Limon, Senior Systems Administrator for The Pasha Group, and Charles Muller, Director of IT at Threshold Enterprise. The session was led by Arctic Wolf CEO and co-founder Brian NeSmith.

The discussion centered around the results from a recent study on cybersecurity dissonance. The study found that almost everyone—95 percent to be precise—believes that their security posture is above average. Roughly nine in ten respondents believe that perimeter security tools are capable of combatting all cybersecurity threats, and nine out of ten also state that they have personnel dedicated solely to managing security.

On the reality side of that equation, however, 63 percent admit they cannot stop zero day threats. Nearly three out of four report that their role is too broad and it’s difficult to focus on IT security as much as they really should. The study also found that nearly 80 percent of security alerts are not addressed within the first hour after a trigger occurs.

There appears to be a disconnect. If two-thirds of those surveyed know they’re not equipped to defend against zero day threats, and three-fourths know they’re not doing everything they can for IT security, how can it be possible that 95 percent feel their security is above average and almost all of those surveyed seem to feel their perimeter security controls are sufficient to stop all threats?

The short answer is simply that it’s human nature. It’s human nature to have an inflated sense of success or achievement. NeSmith pointed out the parallel with asking people if they keep themselves in good health. Many will answer, “Absolutely,” without hesitating. As NeSmith pointed out, though, you get a different picture when you follow up to ask how often they eat fast food, or how regularly they actually exercise. There is a disconnect where we know what we’re supposed to do, and we feel comfortable judging others for not doing those things while simultaneously feeling like we are better than we really are despite any evidence to support that assumption.